z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Configuring the SSL started task

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

  1. Create the home directory for the SSL started task (the default is /etc/gskssl/server)
  2. Copy the sample envar file (gsksrvr.envar) from /usr/lpp/gskssl/examples/ to /etc/gskssl/server/ with a new file name of "envar". By default, the full path is /etc/gskssl/server/envar (change the directory name to match the home directory created). Modify the LANG, TZ, and NLSPATH values to meet local installation requirements.
  3. Copy the sample started procedure from GSK.SGSKSAMP(GSKSRVR) to SYS1.PROCLIB(GSKSRVR)
    Note: The sample started task procedure routes informational messages, such as GSK01001I, to standard out, while error messages, such as GSK01015E are routed to standard error. If you want to route informational and error messages to the same place in the job log, change:
    // / 1>DD:STDOUT 2>DD:STDERR')
    to
    // / >DD:STDOUT 2>&1')
  4. Create the GSKSRVR user and associate it with the GSKSRVR started procedure. Replace 'nnnnnn' in the ADDUSER command with a non-zero value which is not assigned to another user. 
    ADDUSER GSKSRVR DFLTGRP(SYS1) NOPASSWORD OMVS(UID(nnnnnn) PROGRAM(/bin/sh) HOME(/etc/gskssl/server))

RDEFINE STARTED GSKSRVR.** STDATA(USER(GSKSRVR) GROUP(SYS1) TRUSTED)

SETROPTS RACLIST(STARTED) REFRESH
  5. Ensure that the pdsename.SIEALNKE and CEE.SCEERUN data sets are APF-authorized and are either in the link list concatenation or are specified as a STEPLIB for the GSKSRVR procedure.
  6. Optionally, set up a message processing exit to automatically start the GSKSRVR started task. The GSK.SGSKSAMP(GSKMSGXT) program is a sample message processing exit for this purpose. To activate the exit, add this to the appropriate MPFLSTxx member in SYS1.PARMLIB. 
    BPXI004I,SUP(NO),USEREXIT(STARTSSL)

    This starts GSKSRVR when OMVS initialization is complete, assuming the GSKMSGXT program was linked as STARTSSL and placed in a LNKLST data set.

  7. Optionally, set up an automatic restart management (ARM) policy for the GSKSRVR started task if the default ARM policy values are not appropriate. The element type is SYSSSL and should be assigned to restart level 2. The element name is GSKSRVR_sysname. For example, the element name for the GSKSRVR started task on system DCESEC4 would be GSKSRVR_DCESEC4. Since the normal operating mode is to run the GSKSRVR started task on each system in the sysplex, the GSKSRVR started task registers with ARM to be restarted only if the started task fails and not if the current system fails. The TERMTYPE parameter of the ARM policy can be used to override this registration if you want.
  8. If access to the ICSF callable services are protected with CSFSERV class profiles on your system, the GSKSRVR user ID might need to be given READ authority to call the ICSF CSFIQA and CSFPPRF callable services. These services are protected by the CSFIQA and CSFRNG profiles. If these callable services are protected with a generic CSF* profile in the CSFSERV class, access can be granted by entering:
    PERMIT CSF* CLASS(CSFSERV) ID(GSKSRVR) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH
Parent topic: SSL started task

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014